Large-Scale Hacks Cause 98% of Leaked Healthcare Records

In 2015, one in three Americans were victims of healthcare data breaches, attributed to a series of large-scale attacks that each affected more than 10 million individuals. The result is that more than 111 million individuals’ data was lost due to hacking or IT incidents in the US alone.

According to Bitglass’ 2016 Healthcare Breach Report, 98% of record leaks were due to large-scale breaches targeting the healthcare industry. These high-profile attacks were the largest source of healthcare data loss and indicate that cyber-attackers are increasingly targeting medical data. They include the widely publicized Premera Blue Cross hack, involving 11 million customers, and the Anthem hack, which resulted in 78.8 million leaked customer records.

The findings come from analyzing data on the United States Department of Health and Human Services’ “Wall of Shame,” a database of breach disclosures required as part of the Health Insurance Portability and Accountability Act (HIPAA).

In 2015, there were 56 breaches due to hacking or IT incidents, up from 31 in 2014. Only 97 breaches were due to loss or theft last year, down from 140 in 2014.

“Protected health information (PHI) -- which includes sensitive information such as Social Security numbers, medical record data, and date of birth -- has incredible value on the black market,” the report noted. “A recent Ponemon Institute report on the cost of breaches found the average cost per lost or stolen record to be $154. That number skyrockets to $363 on average for healthcare organizations.”

Bitglass also pointed out the costs to consumers: When credit card breaches occur, issuers can simply terminate all transactions and individuals benefit from laws that limit their liability. However, victims have little recourse when subjected to identity theft via PHI leaks, and many are not promptly informed that their data has been compromised. While criminals often leverage healthcare data for the purposes of identity theft, they can also leverage it to access medical care in the victim’s name or to conduct corporate extortion.